Ever since the National Security Agency's secret surveillance program came to light three weeks ago, implicated companies have issued carefully worded statements denying that government snoops have direct or wholesale access to e-mail and other sensitive customer data. The most strenuous denial came 10 days ago, when Apple said it took pains to protect personal information stored on its servers, in many cases by not collecting it in the first place.

"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them," company officials wrote. "Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form."

Some cryptographers and civil liberties advocates have chafed at the claim that even Apple is unable to bypass the end-to-end encryption protecting them. After all, Apple controls the password-based authentication system that locks and unlocks customer data. More subtly, but no less important, cryptographic protections are highly nuanced things that involve huge numbers of moving parts. Choices about the types of keys that are used, the ways they're distributed, and the specific data that is and isn't encrypted have a huge effect on precisely what data is and isn't protected and under what circumstances.

Even when everything is done right, there are frequently limitations—and more often than not, huge trade-offs—on how easy the service will be to navigate by average users. And yet, none of this complexity is reflected in Apple's blanket statement. No wonder some security experts are skeptical.

I spent the past week weighing the evidence and believe it's an overstatement for Apple to say that only the sender and receiver of iMessage and FaceTime conversations can see and read their contents. There are several scenarios in which Apple employees, either at the direction of an NSA order or otherwise, could read customers' iMessage or FaceTime conversations, and I'll get to those in a moment. But first, I want to make it clear that my conclusion is based on so-called black-box testing, which examines the functionality of an application or service with no knowledge of their internal workings. No doubt, Apple engineers have a vastly more complete understanding, but company representatives declined my request for more information.

Passing the mud puddle test

The first important exception to the claim that Apple can't read iMessages is that it doesn't apply if those conversations are stored as a backup in a user's iCloud account. How do cryptographers know this to be true? Because iCloud encryption doesn't pass what Johns Hopkins University research professor Matt Green calls the mud puddle experiment, a litmus test for assessing the security of cloud encryption protections. At its core, it involves the user losing the iPhone containing his data, changing his iCloud password, and then attempting to restore the data onto a new device. If the user can retrieve the data, so too can the cloud provider, either by a rogue employee with the authority and know-how or at the behest of the government.

At my request, independent privacy and security researcher Ashkan Soltani performed the mud puddle test earlier this week and confirmed that it's possible for Apple to decrypt iMessages stored in the Apple cloud in just seconds or minutes. After answering several security questions to reset his iCloud password, he tried to restore his backup to a completely different iPhone that had been reset to a factory-clean state. The backup data—including iMessages, e-mail, and photos—were restored in full to the new device.

"A preliminary black-box test seems to indicate old iMessages, text messages, and e-mails are stored in iCloud and can be restored using the iForgot mud puddle recovery test," Soltani said. "It definitely appears that iMessages are restored from iCloud backup, not the iMessage service."

Enlarge/ A screenshot taken earlier this week when independent researcher Ashkan Soltani changed his iCloud password.

Green, the Johns Hopkins cryptographer, was able to reproduce those results in his own test. He said it's technically possible Apple uses security questions to encrypt the iCloud backups, and if this were true, it would strengthen the claim that it's not possible for people other than the sender and receiver to read messages. But Green went on to say it's not likely that security questions are being used to derive an encryption key, since the answers don't contain enough entropy to securely encrypt the data.

The take-away: true end-to-end encryption doesn't apply to iMessages backed up in iCloud. If you want to ensure your iMessage conversations aren't susceptible to government surveillance, don't store them there. Ever. Some people may already have been aware of this important limitation, but since I can't find any place where Apple has explicitly spelled it out, it's worth including the caveat in this article.

Keys to the Kingdom

But even if you don't store iMessages in iCloud, there are almost certainly other ways Apple could decrypt them if it wanted to. That's because Apple acts as a directory look-up service that iMessage apps can use to find the public key belonging to the person receiving a message. The integrity of the entire system rests on Apple distributing the right public key for the right person. The ease in resetting passwords already suggests Apple has little trouble generating new user credentials. And there doesn't appear to be any warnings or dialogs displayed when the public key of a receiver has changed.

The upshot is that Apple employees—or maybe even an attacker who hacks Apple's directory server—might be able to alter the key distribution mechanism, swapping out a receiver's public key with whatever key the employees or attackers choose. Whoever has the corresponding private key could then read the messages.

There's also the ability to display sent and received iMessages on multiple devices, so that a user can easily view conversations whether she's using her Mac, iPhone, or iPad. No doubt, this makes life more convenient, but it also could diminish the encryption protection. Right now, iMessage appears to notify users when a new device is configured to receive messages, but there's no indication these warnings are hard-wired into the system. If they're not, then Apple can turn them off at will. And with the notifications suppressed, it would be possible for a new device belonging to someone other than the account holder to secretly receive iMessage communications. While this technique would most likely work only for messages sent and received after the new device was silently added—and not messages sent or received months or years earlier—it still seems to highlight a significant loophole to the claim that even Apple can't decrypt iMessage conversations.

And as Green makes clear in his blog post, Apple's statement says nothing about how company officials handle metadata showing, for example, the times messages were sent and who received them.

Keeping them honest

None of this discussion is intended to single out Apple. Judging from the difficulty some federal agents have monitoring suspects' iMessages, the instant messaging service is probably one of the harder ones to tap. But hard to decrypt, and impossible to decrypt are two entirely different things. Ultimately, I decided to publish this article because Apple is the only company to step forward following revelations of the NSA's PRISM surveillance program and suggest it's technically infeasible for third-parties to read or decrypt its encrypted data.

"In the case of iMessage intercept capabilities, Apple is taking a page from Skype's playbook—make very carefully worded statements about the existence of encryption, and then let people read far more into their claims than they have actually made," Chris Soghoian, who is principal technologist and senior policy analyst for the American Civil Liberties Union, told Ars. "When reading Apple's carefully worded PRISM denial, remember it was written by a hybrid team of lawyers and PR folks. Every word matters. At best, they are being cagey, at worst, outright deceptive."

As Soghoian and other critics admit, the end-to-end encryption included with iMessage may make it impossible for Apple to decrypt conversations, at least in some circumstances. But in the absence of key details that Apple has steadfastly declined to provide, customers who are especially concerned about their privacy would do well to assume otherwise.

88 Reader Comments

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

This is why the only real encryption you can trust is the kind that you can set up yourself (GPG, for instance).

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

As far as I know, RiM has never said messages sent over Blackberries get end-to-end encryption and that even RiM is unable to decrypt the messages.

In order to restore from an iCloud Backup, you must provide your username and password.

Very likely, the SAME username and password with which you are signed into the iMessage service, and if not, the same one you were using to sign into the iCloud service on the original device which the backup was made from.

Now, on the flip side, these conditions are NOT true for an unencrypted iTunes Backup.

In order to restore from an iCloud Backup, you must provide your username and password.

Very likely, the SAME username and password with which you are signed into the iMessage service, and if not, the same one you were using to sign into the iCloud service on the original device which the backup was made from.

Now, on the flip side, these conditions are NOT true for an unencrypted iTunes Backup.

The point is that you can change the password before restoring. So the password can't be what's used to encrypt your data.

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

As far as I know, RiM has never said messages sent over Blackberries get end-to-end encryption and that even RiM is unable to decrypt the messages.

Would this constitute such a claim?

"As we have stated on several occasions, and as we have set out in our company’s Lawful Access Principles, RIM cannot access information encrypted through BlackBerry Enterprise Server as RIM is not ever in possession of the encryption keys."

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

As far as I know, RiM has never said messages sent over Blackberries get end-to-end encryption and that even RiM is unable to decrypt the messages.

Like others in our industry, from time to time, BlackBerry may receive requests from legal authorities for lawful access assistance. We are guided by appropriate legal processes and publicly disclosed lawful access principles in this regard, as we balance any such requests against our priority of maintaining privacy rights of our users. We do not speculate or comment upon individual matters of lawful access. Additionally, BlackBerry does not provide special deals for individual countries, and we clearly stipulate that BlackBerry has no ability to support the access of BlackBerry® Enterprise Server (BES) communications as only our enterprise clients have control over the encryption keys for these communications. BlackBerry is committed to operating its business in accordance with recognized industry standards of business and social responsibility in the markets we serve. BlackBerry will continue to evaluate the markets in which we operate, we will engage and express our views to government and we will continue to operate in a principled manner.

In order to restore from an iCloud Backup, you must provide your username and password.

Very likely, the SAME username and password with which you are signed into the iMessage service, and if not, the same one you were using to sign into the iCloud service on the original device which the backup was made from.

I believe this to be true. I have multiple iCloud accounts and I only have one linked to iMessage. If I don't provide my username and password for that specific account I can't get my iMessages. And considering how rarely it syncs between my devices I'd bet that security "hole" is pretty small. (That's a joke and a stab at how unreliable iMessage is, not a declaration it isn't possibly a large hole to exploit.)

How is "no one but the sender and receiver can read a message" a cagey statement?

I understand that in some ways it might be wrong, but I dont' see what's cagey about it.

EDIT: Also, I think context is important. I don't think Apple was claiming that there is absolutely no chance of a bug in their system. I also don't think they were claiming there's no way an attacker could successfully attack their system. I think they were reacting to the claim that they give NSA a direct tap into their servers, so that everything you do on an Apple device automatically gets to the NSA. Their point was that Apple doesn't even have access to that data, so couldn't share it with the NSA if they wanted, which they went on to say they don't share data like that, anyway.

In order to have confidence you'd have to see and audit the software source & compile it from that source yourself, similar caveats apply to the operating system it runs on and even the hardware level. All the cryptography and key storage would have to happen locally under the users control.

"Trust no one... except for me, and many thousands of my employees, also all my software engineers are incapable of errors"

i would never think messages are impossible to get if a person has a warrant (any service.)

all i can hope for is it to need one.

IMO what is needed are very explicit privacy laws. PGP-like encryption for all communications is simply too unwieldy for all but the most meticulously privacy-conscious. We need laws that forbid the state from opening or compelling a service provider to open encrypted communications of private citizens without judicial oversight and a sufficiently high burden of proof. And more transparency on the process and how it's being used.

While we're at it, I'd be in favour of laws regulating the gathering, aggregation, and analysis of metadata. An alarming amount of profiling can be done simply by knowing everybody's associations.

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

As far as I know, RiM has never said messages sent over Blackberries get end-to-end encryption and that even RiM is unable to decrypt the messages.

Would this constitute such a claim?

"As we have stated on several occasions, and as we have set out in our company’s Lawful Access Principles, RIM cannot access information encrypted through BlackBerry Enterprise Server as RIM is not ever in possession of the encryption keys."

I observe may people confuse BIS and BES. BES is the BlackBerry add-on for Microsoft Exchange Server and BIS is the more consumer and small business focused product managed by BlackBerry. As I understand it, the deal that RIM (now BlackBerry) made with UAE and India is that they will decrypt messages upon request, which is different from handing over the keys, but certainly BlackBerry has access to anything used across phones using BIS.

I don't know if you can get any BlackBerry rep to go on the record, but my understanding is they will aid in meta data, but can't decrypt email. But bb10 is quite different from the old blackberry mail, at least on bis. For instance the blackberry bis email accounts are no longer supported on bb10. Also, blackberry added blackberry ID, which does allow email to be read on multiple blackberry devices.

But sticking to Apple, what about that Gawker article where the Apple Genius got his imessage intercepted by a totally unrelated phone. Some sort of tacky hot tub photo was published.

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

This is why the only real encryption you can trust is the kind that you can set up yourself (GPG, for instance).

Steve Gibson did a detailed explanation of how LastPass worked for an episode of Security Now. Lastpass never receives the key that would allow them to decrypt your information.

In order to restore from an iCloud Backup, you must provide your username and password.

Very likely, the SAME username and password with which you are signed into the iMessage service, and if not, the same one you were using to sign into the iCloud service on the original device which the backup was made from.

Now, on the flip side, these conditions are NOT true for an unencrypted iTunes Backup.

The point is that you can change the password before restoring. So the password can't be what's used to encrypt your data.

To be fair to Apple they appear to be acting as nothing more than a trusted certificate authority for iMessage users and any such authority could issue trusted MITM keys to the spooks. The problem is that Apple does not market itself as a trust root, so they don't have much to loose. Whereas no real Authority would ever capitulate as the (undeniable due to the valid signatures) breach of trust would ruin them if not place them under criminal charges under other jurisdictions. Diginotare being a classic example of what happens when people stop trusting a "trusted" root authority.

Of course, if they have rolled their own encryption scheme they may well have just cocked it up (VERY easy to do especially with asymmetric crypto)..

How is "no one but the sender and receiver can read a message" a cagey statement?

I understand that in some ways it might be wrong, but I dont' see what's cagey about it.

EDIT: Also, I think context is important. I don't think Apple was claiming that there is absolutely no chance of a bug in their system. I also don't think they were claiming there's no way an attacker could successfully attack their system. I think they were reacting to the claim that they give NSA a direct tap into their servers, so that everything you do on an Apple device automatically gets to the NSA. Their point was that Apple doesn't even have access to that data, so couldn't share it with the NSA if they wanted, which they went on to say they don't share data like that, anyway.

Even that is "fluff".

Oh sure. I didn't give you DIRECT access to my servers.

But, I know you installed taps between the servers and the end-users. (interception)Oh. And I shared with you my encryption method.

I'm not technically "sharing" the information with you. I'm just turning a blind eye to you.

If there is no legal requirement to do so, why would Apple want to backdoor its own messenging service?

I understand that a legal corporation must follow the law, but even a FISA court can't compel a service provider to make the communication decipherable by the government.

if Apple, Microsoft and Google wanted it, they could over night implement strong end to end encryption mooting any government snooping.Why would any company do anything to ease government interception beyond what's strictly required by law?There must be something else going on.

Operators of services need to control their services. In absence of a requirement for end-to-end encryption for practical matters (say, lastpass or any real VPN service) I would be surprised if they didn't. I believe even Blackberry has the keys to their users' message encryption, as could be seen by their capitulation to the Emirates.

As far as I know, RiM has never said messages sent over Blackberries get end-to-end encryption and that even RiM is unable to decrypt the messages.

Would this constitute such a claim?

"As we have stated on several occasions, and as we have set out in our company’s Lawful Access Principles, RIM cannot access information encrypted through BlackBerry Enterprise Server as RIM is not ever in possession of the encryption keys."

I observe may people confuse BIS and BES. BES is the BlackBerry add-on for Microsoft Exchange Server and BIS is the more consumer and small business focused product managed by BlackBerry. As I understand it, the deal that RIM (now BlackBerry) made with UAE and India is that they will decrypt messages upon request, which is different from handing over the keys, but certainly BlackBerry has access to anything used across phones using BIS.

If Blackberry can reliably decrypt messages without the key, is there any practical difference? As I understand it BES messages always pass through the RIM Network Operation Center?

If there is no legal requirement to do so, why would Apple want to backdoor its own messenging service?

I understand that a legal corporation must follow the law, but even a FISA court can't compel a service provider to make the communication decipherable by the government.

if Apple, Microsoft and Google wanted it, they could over night implement strong end to end encryption mooting any government snooping.Why would any company do anything to ease government interception beyond what's strictly required by law?There must be something else going on.

Not sure what you mean by the last statement.

From my perspective, why would any company not have an interest in doing something sinister?Apple is really only beholden to Apple. Welcome to the world of the multinational corporation. US Gov't offers $$$ in exchange? Sure. Is Apple breaking the law? Or is it the US Gov't? When was the last time you saw a company truly receive a "death sentence' for any malfeasance they conducted?

Steve Gibson did a detailed explanation of how LastPass worked for an episode of Security Now. Lastpass never receives the key that would allow them to decrypt your information.

And if you forget your password all your data in lastpass is gone. Forever.

iCloud is a backup service. Being able to access your data is more importamt than privacy for most of the world.

I would like to see a followup article with apple's two factor authectication taken into account. It looks like enabling two factor auth closes the "mud puddle" security hole, as apple warns in their FAQ that if you have two factor auth enabled apple's support staff will be unable to help you access your account should you loose your password and the one-time use recovery key.

"The upshot is that Apple employees—or maybe even an attacker who hacks Apple's directory server—might be able to alter the key distribution mechanism, swapping out a receiver's public key with whatever key the employees or attackers choose. Whoever has the corresponding private key could then read the messages."

This can be true if in fact iMessages are encrypted but not authenticated. This is simply an old and well known weakness of encryption only schemes. There are many attacks such schemes fall prey to.

However, that is why a MAC (Message Authentication Code) is used in conjunction with encryption, and why there are specific ways such schemes need to be implemented to make MAC + Encryption secure. Most importantly, the MAC used needs to be secure, and not something like CRC32 or MD5 for example.

So in a potential iMessage scheme, sender makes a MAC using her secret key, and receiver verifies the message using the sender's public key. This leaves the man in the middle (Apple etc.) with the problem of generating a valid code for the message. The fake message can not be delivered without exposing the fraud.

Note that this only serves to protect iMessage end to end encryption from a man in the middle attack as described and only if it was actually done. Once delivered (even if perfectly securely delivered), the message contents are subject to the iCloud storage flaws described in the article.

However, there is still a problem if both sender and recipient are spoofed into using the man in the middle's fake keys. Such a scheme needs to be in place before the snooping though. Or the man in the middle would need a way to force each side of the conversation to dump their old keys and start communicating via the fake keys. All the key acrobatics is performed by Apple though, so there is exactly one entity that can snoop: Apple.

All this assumes a MAC of course, which need not be the case.

Blame the lack of coffee I am about to fix for any flaws in this reasoning.

Ars deciphers "end-to-end" crypto claims? By making assumptions? Show us how you actually intercept and decrypt someone else's iMessage conversation, to add a little credibility to your assumptions, please.

From my perspective, why would any company not have an interest in doing something sinister?

Let me flip your question about slightly: "Why would any company not want to aggravate and alienate its customers?"

That's really what you're asking.

Apple, like many other companies, stand to lose a vast amount by lying to their customers, or by being seen to be too open with their data. If iOS becomes known as the "NSA's first choice" then it only helps drive customers, both current and future, towards Android. If the gov't offers money (which I seriously doubt, as they can simply demand data with a court order) then they'll have to offset a large number of customers leaving, which seems unlikely.

Doing sinister stuff makes for an okay plot for a film, but doesn't stand the litmus test of "how will this help the business?" It really doesn't.

Ars deciphers "end-to-end" crypto claims? By making assumptions? Show us how you actually intercept and decrypt someone else's iMessage conversation, to add a little credibility to your assumptions, please.

I think by retrieving the messages on another device they made their case. Now if they had to move a cert between devices, then it would be a different situation.

Apple, like many other companies, stand to lose a vast amount by lying to their customers, or by being seen to be too open with their data.

Not that I think it's excusable, but I view personal security as something that's only hit the spotlight the past couple of years. That said, a lot of these systems have been around for quite some time. I can think of very few programs or projects where one of the first questions is 'can we keep security in mind?'

How is "no one but the sender and receiver can read a message" a cagey statement?

There can be multiple receivers, depending on the distributed public key, as mentioned in the article.

No. According to the article there can be a listener. That's different that a receiver. There is no reasonable definition of the "reciever" of a message that includes the MITM or the person on the wiretap. It's only a cagey statement if you are trying to find cageyness where none exists.

How is "no one but the sender and receiver can read a message" a cagey statement?

There can be multiple receivers, depending on the distributed public key, as mentioned in the article.

No. According to the article there can be a listener. That's different that a receiver. There is no reasonable definition of the "reciever" of a message that includes the MITM or the person on the wiretap. It's only a cagey statement if you are trying to find cageyness where none exists.

This isn't a real MITM, as no one is in the middle. Apple controls the public keys distributed to the message sender, and the destination devices the message gets sent to. What's to stop the government from compelling Apple to add another devices into the recipients list? As user can already do this themselves by logging enabled iMessage on an additional device and using the same Apple account.

Apple's statement is safe because no one is indeed capturing the message in transit and decrypting it.They're having it delivered to them, arguably with a legal and compelling court order forcing Apple to assist. But in such a scenario, Apple's statement is still technically true. And thus, cagey.

I may have missed the answer to this in the article, but:If I don't have a iCloud backups, and my phone catches on fire and dies, and then someone sends me an iMessage, and *then* I configure a new phone (not restoring a backup from iTunes, etc) can I then read the iMessage?If the answer is yes, then Apple must retain the ability to decrypt the messages.(For extra certainty, reset your Apple password while having no operational Apple devices and without providing your previous password to ensure Apple isn't using it for an encryption key - although from the article it appears they are not).

Edit: I should point out that I have never used iMessage and have no Apple devices so I may be missing something - e.g. if it isn't possible to be sent an iMessage message when you have no devices currently active.

There could be an explanation as to why the mud puddle experiment "failed." The assumption was that the password directly is the key to decrypt / unlock your iCloud and iMessage data. When you have a small amount to data to encrypt, it's practical to use the password (or hopefully password hash) as the key to decrypt data. When there's a large amount of data, like pictures in your iCloud account, it isn't as practical.

As I understand, many whole disk encryption systems start with a strongly derived symmetric key. This key is used to encrypt and decrypt the drive data. Your chosen password can be used to secure and or unlock the key. If you want to change your password, the key is encrypted with your new password and stored. If this weren't the case, then the computer would have to re-encrypt the entire drive when you change the password. This is why it would be possible to restore your iCloud account with the changed password onto a new device.

Since Apple can store so much binary data in an iCloud account, I think it's more practical for them to use a WDE-like approach to securing customer data. The mud puddle experiment failure isn't so, depending on how we look at this black box

I may have missed the answer to this in the article, but:If I don't have a iCloud backups, and my phone catches on fire and dies, and then someone sends me an iMessage, and *then* I configure a new phone (not restoring a backup from iTunes, etc) can I then read the iMessage?If the answer is yes, then Apple must retain the ability to decrypt the messages.

The answer is 'no'. I've tested similar scenarios (minus the phone on fire ) and have concluded that devices that have iMsg enabled and are finished 'Activating...' will only receive iMessages sent after that point.

I may have missed the answer to this in the article, but:If I don't have a iCloud backups, and my phone catches on fire and dies, and then someone sends me an iMessage, and *then* I configure a new phone (not restoring a backup from iTunes, etc) can I then read the iMessage?If the answer is yes, then Apple must retain the ability to decrypt the messages.(For extra certainty, reset your Apple password while having no operational Apple devices and without providing your previous password to ensure Apple isn't using it for an encryption key - although from the article it appears they are not).

Edit: I should point out that I have never used iMessage and have no Apple devices so I may be missing something - e.g. if it isn't possible to be sent an iMessage message when you have no devices currently active.

The security questions or your password could either used to decrypt a strong symmetric key (see my comment above). The small entropy of some reset questions could pose a problem.